1 ## To convert this file to apache.conf using the current Girocco::Config values
2 ## either do "make" or "make apache.conf" or ./make-apache-conf.sh
4 # This is an example configuration of a virtualhost running Girocco, as set up
5 # at repo.or.cz; unfortunately, completely independent from Girocco::Config.
6 # It is not essential for Girocco to use a special virtualhost, however.
9 # ---- BEGIN LINES TO DUPLICATE ----
11 ServerName @@httpdnsname@@
12 ServerAlias www.@@httpdnsname@@
15 # This is the standard "combined" log format with :actual-server-port added to the end
16 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p" girocco
17 <IfModule logio_module>
18 # %I and %O are only available with the logio_module
19 LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" :%{local}p" girocco
22 ErrorLog /var/log/apache2/repo-error.log
23 CustomLog /var/log/apache2/repo-access.log girocco
25 <IfModule mime_magic_module>
26 # Avoid spurious Content-Type values when git-http-backend
27 # fails to provide a Content-Type header in its output
28 MimeMagicFile /dev/null
31 DocumentRoot @@webroot@@
32 <Directory @@webroot@@>
33 # Add MultiViews only if pages are truly
34 # offered in more than a single language
35 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
36 Options FollowSymLinks
37 # FileInfo (or All) must be enabled to activate .htaccess file mod_rewrite rules
45 ScriptAlias /w @@cgiroot@@/gitweb.cgi
46 ScriptAlias /b @@cgiroot@@/bundles.cgi
47 ScriptAlias /h @@cgiroot@@/html.cgi
48 AliasMatch ^/(?!(?i)gitweb\.cgi|bundles\.cgi|html\.cgi(?:/|$))([^/]+\.cgi(?:/.*)?)$ @@cgiroot@@/$1
50 <IfModule rewrite_module>
53 # Snapshot requests are only allowed via the PATH_INFO mechanism
54 RewriteCond %{QUERY_STRING} (^|[&;])a=snapshot([&;]|$) [NC]
55 RewriteRule .* - [NS,F,L]
57 # Redirect snapshot requests to snapshot.cgi
59 ^/(?![bchr]/)(?:w/)?((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git/snapshot(?:/.*|$)) \
60 @@cgiroot@@/snapshot.cgi/$1 [NS,L,H=cgi-script]
62 # Make the leading /h optional for requests that name an existing .html template
63 RewriteCond @@webroot@@/$1 !-f
64 RewriteCond @@cgiroot@@/$1 !-f
65 RewriteCond @@basedir@@/html/$1 -f
67 ^/(?![bchrw]/)(.*\.html)$ \
70 # Redirect bare /w requests without .git that name an existing repo...
71 RewriteCond @@reporoot@@/$1.git/HEAD -f
73 ^/w/((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
74 /w/$1.git [NS,L,R=301]
76 # ...and also make the leading /w optional for those types of requests
77 RewriteCond @@webroot@@/$1 !-f
78 RewriteCond @@cgiroot@@/$1 !-f
79 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
80 RewriteCond @@reporoot@@/$1.git/HEAD -f
82 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+(?<!\.git))/?$ \
85 # Make the leading /w optional if the rest names an existing repo
86 # and it's not a request for a bundle or bundle listing
87 RewriteCond @@webroot@@/$1$2 !-f
88 RewriteCond @@cgiroot@@/$1$2 !-f
89 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
90 RewriteCond @@reporoot@@/$1/HEAD -f
91 # Might want to use [NS,L,R] instead of [NS,PT] maybe even [NS,L,R=301]
93 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git)(?!/(?:bundles|[a-zA-Z0-9+._-]+\.bundle)$)((?:/.*)?)$ \
96 # Make the leading /b optional if the rest names an existing repo
97 # and it's a request for a bundle listing
98 RewriteCond @@webroot@@/$1 !-f
99 RewriteCond @@cgiroot@@/$1 !-f
100 RewriteCond %{HTTP_USER_AGENT} !git/ [NC]
101 RewriteCond @@reporoot@@/$1/HEAD -f
102 # Might want to use [NS,L,R] instead of [NS,PT] maybe even [NS,L,R=301]
104 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git)/bundles$ \
108 <Directory @@reporoot@@>
109 Options FollowSymLinks
115 <IfModule rewrite_module>
116 # Everything fetched over the non-smart git http
117 # protocol should be an existing file. If the request
118 # is not for an existing file, just send back an error
119 # message without emitting anything into the error log.
122 RewriteCond @@reporoot@@/$1 !-f
123 RewriteRule ^(.*)$ - [NS,R=404,L]
127 <Directory @@cgiroot@@>
128 # FollowSymLinks or SymLinksIfOwnerMatch is required for .htaccess files
129 Options SymLinksIfOwnerMatch
130 # FileInfo must be enabled to activate .htaccess file mod_rewrite rules
131 AllowOverride FileInfo
137 <IfModule !mod_fastcgi.c>
138 <IfModule !mod_fcgid.c>
139 SetHandler cgi-script
143 # Note that in testing mod_fastcgi (in dynamic mode)
144 # was found to be slightly faster than mod_fcgid.
146 # However, we prefer mod_fcgid if both are available
147 # because we cannot control the server-global settings
148 # of mod_fastcgi's "FastCgiConfig" options.
150 # In order for gitweb.cgi to run reasonably well as a
151 # mod_fastcgi dynamic FastCGI application, the
152 # "FastCgiConfig" option "-idle-timeout" value needs to
153 # be increased from the default value of "30" to at
154 # least "120", preferably more like "300". But that
155 # will affect ALL dynamic mod_fastcgi applications on
156 # the ENTIRE server, not just gitweb.cgi. Additionally
157 # the "FastCgiConfig" "-restart" option probably ought
158 # to be set as well. Also, unfortunately, there is no
159 # mod_fastcgi option corresponding to mod_fcgid's
160 # MaxRequestsPerProcess option and gitweb.cgi running
161 # in FastCGI mode (without using FCGI::ProcManager) will
162 # always exit after serving 100 requests (a good thing).
164 # The alternative is to make gitweb.cgi a static
165 # mod_fastcgi application (the "FastCgiServer"
166 # directive), but then the number of running instances
167 # will be fixed at whatever value is chosen for the
168 # "-processes" option rather than being dynamically
169 # adjusted based on load and that's probably undesirable
170 # in most cases unless you run gitweb.cgi under a
171 # front-end that dynamically forks multiple copies of
172 # gitweb.cgi based on the current load. See the CPAN
173 # FCGI::ProcManager::Dynamic module for an example of
174 # how to do this in Perl:
176 # http://search.cpan.org/search?query=FCGI::ProcManager::Dynamic&mode=module
178 # So instead we prefer mod_fcgid because we can adjust
179 # the necessary options for good gitweb.cgi behavior
180 # while affecting only gitweb.cgi and having it remain
181 # a dynamic application whose total number of running
182 # instances is adjusted based on current server load.
184 <IfModule mod_fcgid.c>
185 SetHandler fcgid-script
187 <IfModule !mod_fcgid.c>
188 <IfModule mod_fastcgi.c>
189 SetHandler fastcgi-script
193 <FilesMatch ^(?!(?i)gitweb\.cgi$).*\.cgi$>
195 SetHandler cgi-script
201 <IfModule mod_fcgid.c>
202 # mod_cgid benefits from some additional config for gitweb.cgi
203 # gitweb.cgi has a hard-coded maximum of 100 requests
204 # and we do not want to give up too soon in case Git is lagging
205 # Note that adding a 'MaxProcesses ...' option here may be valuable
206 # to limit the maximum number of gitweb.cgi processes that can be
207 # spawned (default is 100) -- perhaps to something much lower such
208 # as 1 or 2 times the number of CPU cores. Also note that in the
209 # unlikely event all the children finish their 100 requests at the
210 # same time, the server's FcgidSpawnScoreUpLimit should be set
211 # to at least 3 times the MaxProcesses value chosen to allow them
212 # all to respawn immediately. It MUST be at least twice the chosen
213 # MaxProcesses value (assuming FcgidTerminationScore is still the
214 # default 2) in order to allow any child to respawn at all without
216 FcgidCmdOptions @@cgiroot@@/gitweb.cgi \
217 MaxRequestsPerProcess 100 IOTimeout 300
220 <Directory @@basedir@@/bin>
225 <Files git-http-backend-verify>
227 SetHandler cgi-script
233 # Change the setting of $SmartHTTPOnly in Girocco::Config.pm to
234 # change whether or not non-smart HTTP fetch access will be allowed.
236 <IfDefine !@@SmartHTTPOnly@@>
237 # These accelerate non-smart HTTP access to loose objects and packs with the /r/ prefix
238 # But not for projects starting with '_' to which access should never be allowed
239 AliasMatch ^/r/([^_].*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ @@reporoot@@/$1
240 AliasMatch ^/r/([^_].*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ @@reporoot@@/$1
242 # These accelerate non-smart HTTP access for Git user agents without the /r/ prefix
243 # But not for projects starting with '_' to which access should never be allowed
244 <IfModule rewrite_module>
246 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
247 RewriteRule "(?x) ^/((?![bchrw]/)[^_].*/objects/(?: \
248 (?:[0-9a-f]{2}/[0-9a-f]{38}) | \
249 (?:pack/pack-[0-9a-f]{40}.(?:pack|idx)) ))$" \
250 @@reporoot@@/$1 [NS,L]
254 <IfDefine @@SmartHTTPOnly@@>
255 # Disable non-smart HTTP access
257 RewriteCond %{REQUEST_METHOD} !^POST$
258 RewriteCond %{REQUEST_URI} !/[a-zA-Z0-9+._-]+\.bundle$
259 RewriteRule ^/r/.*(?<!/info/refs)$ - [NS,F]
260 RewriteCond %{REQUEST_METHOD} !^POST$
261 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
262 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
263 RewriteCond %{REQUEST_URI} !/[a-zA-Z0-9+._-]+\.bundle$
264 RewriteRule ^/(?![bchrw]/).*(?<!/info/refs)$ - [NS,F]
265 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
266 RewriteRule ^/r/.*/info/refs$ - [NS,F]
267 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
268 RewriteCond %{QUERY_STRING} !(^|&)service=git-(upload|receive)-pack(&|$)
269 RewriteRule ^/(?![bchrw]/).*/info/refs$ - [NS,F]
272 # SetEnv GIT_HTTP_BACKEND_BIN to override Config.pm $git_http_backend_bin
273 # git-http-backend-verify denies all access to projects starting with '_'
274 ScriptAlias /r/ @@basedir@@/bin/git-http-backend-verify/
276 <IfModule rewrite_module>
279 # This allows HTTP access for Git user agents
280 # without the leading /r/ prefix
281 RewriteCond %{HTTP_USER_AGENT} git/ [NC]
282 RewriteCond %{REQUEST_URI} !^/authrequired[.]cgi$
283 RewriteRule ^/(?![bchrw]/)(.*)$ \
284 @@basedir@@/bin/git-http-backend-verify/$1 \
287 # ...and this for access by all agents to *.bundle
288 # files without the /r/ prefix for names ending in .git
290 ^/(?![bchrw]/)((?:[a-zA-Z0-9+._-]+(?<!\.git)/)*[a-zA-Z0-9+._-]+?\.git/[a-zA-Z0-9+._-]+\.bundle)$ \
291 @@basedir@@/bin/git-http-backend-verify/$1 \
294 # ...and finally this for access by all agents to
295 # *.bundle files without the /r/ prefix for names not
296 # ending in .git as long as the repository exists
297 RewriteCond @@reporoot@@$1.git/HEAD -f
299 ^(?!/[bchrw]/)((?:/[a-zA-Z0-9+._-]+(?<!\.git))+)(/[a-zA-Z0-9+._-]+\.bundle)$ \
300 @@basedir@@/bin/git-http-backend-verify$1$2 \
304 # ---- END LINES TO DUPLICATE ----
309 # Change the setting of $TLSHost in Girocco::Config.pm to change
310 # whether or not the following https virtual host is enabled.
312 <IfDefine @@TLSHost@@>
314 # This is an example configuration of an https virtualhost running Girocco, as set
315 # up at repo.or.cz; unfortunately, completely independent from Girocco::Config.
316 # It is not essential for Girocco to use a special virtualhost, however.
317 # The Config.pm $httpspushurl variable needs to be defined to properly enable
321 # These certificate files will all be automatically generated, but the
322 # paths here may need to be corrected to match the paths
323 # (especially $certsdir) from Config.pm
325 SSLCertificateFile @@certsdir@@/girocco_www_crt.pem
326 SSLCertificateKeyFile @@certsdir@@/girocco_www_key.pem
327 SSLCertificateChainFile @@certsdir@@/girocco_www_chain.pem
328 # when using a paid www server cert, only the above three lines should
329 # be changed. Changing any of the below two lines (other than updating
330 # the paths to match $certsdir) will likely break https client auth
331 SSLCACertificateFile @@certsdir@@/girocco_root_crt.pem
332 SSLCADNRequestFile @@certsdir@@/girocco_client_crt.pem
335 SSLOptions +FakeBasicAuth +StrictRequire
338 # This configuration allows fetching over https without a certificate
339 # while always requiring a certificate for pushing over https
341 SSLVerifyClient optional
342 RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC]
343 RewriteCond %{QUERY_STRING} (^|&)service=git-receive-pack(&|$) [NC]
344 RewriteRule /info/refs$ - [NC,NS,env=client_auth_required:1]
345 RewriteCond %{REQUEST_METHOD} =POST [NC]
346 RewriteRule /git-receive-pack$ - [NC,NS,env=client_auth_required:1]
347 RewriteCond %{ENV:client_auth_required} 1
348 RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
349 RewriteRule .? %{REQUEST_URI} [NS,R=401]
353 Deny from env=client_auth_required
354 SSLOptions +FakeBasicAuth
355 AuthName "Git Client Authentication"
357 AuthBasicProvider anon
362 ErrorDocument 401 /authrequired.cgi
366 # ALL the entire contents from the <VirtualHost *:80> section at
367 # the top of this file must be copied here.
369 # To avoid this duplication, the contents of the <VirtualHost *:80>
370 # section above can be moved to a separate file and then included
371 # both here and in the <VirtualHost *:80> section using an Include
372 # directive. Be careful not to place the new include file in one of the
373 # directories the standard apache configuration blindly includes all
376 # ---- BEGIN DUPLICATE LINES ----
378 # ---- END DUPLICATE LINES ----